Industry stakeholders are highlighting the importance of preparing for procurement requirements as the Pentagon’s Cybersecurity Maturity Model Certification program go into effect, with the release of a final rule making changes to defense acquisition rules.
“PSC welcomes the long-anticipated final rule on contractual requirements related to the Cybersecurity Maturity Model Certification (CMMC) program. Over the last five years -- since the Government first published an interim rule on this program -- PSC and our member companies have engaged closely with defense officials to ensure that CMMC requirements are clear, common-sense, and consistently applied,” Professional Services Council CEO James Carroll said in a statement.
The final rule to amend the Defense Federal Acquisition Regulation Supplement is scheduled for publication today in the Federal Register, with a 60-day effective date.
The DFARS rulemaking follows another final rule that went into effect on Dec. 16 to establish the CMMC program in Part 32 of the Code of Final Regulations. Official CMMC assessments started in January but the timeline for the procurement requirements will kick in when DFARS final rule goes into effect.
Carroll said, “This new rule includes much-needed clarifying language, including but not limited to ‘plan of action and milestones (POA&M)’ and ‘conditional CMMC status,’ and offers the contracting community more information on how and when CMMC-related requirements will be incorporated into contracts. PSC plans to continue productive discussions with contractor and government colleagues alike as the November effective date approaches--and will ask implementation-related questions as they arise.”
Carroll added, “The release of this final rule also underscores the importance of the cybersecurity ecosystem that supports federal contractors. In particular, the CMMC Third-Party Assessor Organizations (C3PAOs) that play a vital role in evaluating a company’s cybersecurity maturity, as well as its ability to protect sensitive information. We have heard anecdotes about long lead times for such evaluations, and we look forward to working with the C3PAO community to ensure timely and thorough assessments for all defense contractors who require them.”
The National Defense Industrial Association also weighed in on the final rule.
“NDIA appreciates the efforts of the Department to address the threats posed by ongoing malicious cyber activities. NDIA and its member companies are fully committed to securing the data and systems that power the U.S. defense industrial base, as well as the platforms, infrastructure, and services that support our nation’s warfighters. NDIA will continue to assist our member companies with information and resources and continue to engage with the Department as we move through the phased implementation of CMMC,” NDIA spokesperson Rachel Sutherland said.
The timeline for official assessments was determined by the Cyber Accreditation Body, which is responsible for authorizing certified third-party assessment organizations and individual assessors.
Cyber AB CEO Matthew Travis told Inside Cybersecurity, “The light at the end of the CMMC rulemaking tunnel is finally in view. We congratulate the Department of Defense on their unwavering endurance, persistence, and commitment in seeing this process through. We also encourage defense contractors to engage now in the CMMC Ecosystem, where informed implementation assistance and CMMC Level 2 certification assessments are available today.” -- Sara Friedman (sfriedman@iwpnews.com)